[OpenWrt-Devel] [PATCH v3 2/3] network/config: add xfrm interface support scripts

Andre Valentin avalentin at marcant.net
Thu Jun 13 03:19:38 EDT 2019


Hi!

On 13.06.19 08:44, Hans Dedecker wrote:
> Hi,
> 
> On Wed, Jun 12, 2019 at 8:28 PM Andre Valentin <avalentin at marcant.net> wrote:
>>
>> Hi Hans!!
>> Am 11.06.19 um 22:16 schrieb Hans Dedecker:
>>> Hi,
>>>
>>> On Mon, Jun 10, 2019 at 8:10 PM Andre Valentin <avalentin at marcant.net> wrote:
>>>>
>>>> Hi Hans,
>>>>
>>>> after testing xfrm tunnels a bit I found to big differences compared to other convential tunnels.
>>>> 1) xfrm tunnel interfaces cannot be replaced with netlink
>>>> 2) xfrm tunnel interfaces DO NOT vanish if parent is deleted
>>>>
>>>> This leads to some errors and a loop in interface creation. With the changes below,
>>>> it works smoothly when not bound to ppp interfaces (using lan instead), see:
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
>>>> and so on
>>>>>> What do you think?
>>> The description is a bit cryptic to me; could you explain what works
>>> and what does not work and why ?
>> Sorry for being cryptic, I tend to that;-) Okay, I do the following:
>> # ifup xfrm0
>> ... use it
>> # ifdown xfrm0
>> The interface still exists (checked with ip link)
>>
>> Now I'll do ifup again and this happens endlessly:
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14255): Command failed: Unknown error
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is now down
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: Interface 'xfrm0' is setting up now
>>>> Mon Jun 10 11:42:06 2019 daemon.notice netifd: xfrm0 (14281): Command failed: Unknown error
>>
>> In netifd the xfrm0 interface is created with the REPLACE flag, but that does not seem to work, it cannot be recreated and fails.
>> The result is the upper error repeating.
>> That's why I think about the call to "ip link delete xfrm0" before proto_init_update call and in the teardown call.
> Adding the ip link calls does not make sense to me as netifd should
> take care of deleting the xfrm interfaces
> Are you sure the xfrm interfaces can be deleted by the ioctl call
> SIOCDELTUNNEL as is the case now ?
> For the other tunnel interfaces like vti/gre deletion is done via the
> netlink interface.

Good point, I will check that.
> 
> Next to that I noticed a tunlink is specified in xfrm.sh but no
> proto_add_host_dependency is added; is this on purpose ?
Yes, that is on purpose. The tunlink specified is a must, but is noted 
used for decrypting and encrypting packets. It works on every interface.

Also the XFRM interface has no IP endpoint, so there no possibility to 
add this to the interface, it would be only cosmetical.

Thanks,

André

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list